21 production-ready rules that fire on real threats — tuned to minimize false positives with process context and allowlists. Source code available.
Alerts on ransom note creation, file renames to encrypted extensions (LockBit, Akira, Cl0p, and 30+ others), mass file renaming, and backup wipe commands.
Detects UID changes to root from non-root processes via setuid/setreuid syscalls, excluding known privilege-separation binaries such as sshd.
Alerts on kernel module loads by processes other than known module management tools (insmod, modprobe, kmod).
Catches shell processes (bash, sh, zsh, dash, ksh) making outbound network connections — the #1 post-exploitation technique.
Detects memfd_create usage — the primary vector for fileless malware that executes entirely from memory.
Detects cross-process memory writes via process_vm_writev — used by injection tools to write shellcode into other processes.
Alerts on writes to /etc/passwd, /etc/shadow, /etc/hosts, /etc/ld.so.preload, and other files that adversaries modify to establish persistence or escalate privilege.
Alerts on new cron job creation in /etc/cron.* and /var/spool/cron/ by non-system processes.
Alerts on writes to any .ssh/authorized_keys file by processes other than ssh-copy-id.
Detects writes to /etc/sudoers or /etc/sudoers.d/ by processes other than visudo.
Alerts when a new .service unit file is created in /etc/systemd/system/ by unexpected processes.
Alerts on an SSH login success that follows 3+ failed attempts from the same IP within a 10-minute window.
Detects processes launched with a non-empty LD_PRELOAD environment variable, a common technique for hooking system calls.
Flags suspicious unshare/setns calls with user, PID, or mount namespace flags from unexpected processes.
Detects miner process names, stratum protocol patterns in command lines, mining pool ports, and known pool DNS queries.
Detects commands that stop or disable auditd, a common attacker step to reduce detection coverage before proceeding.
Alerts on setenforce 0 or attempts to write permissive/disabled mode to /etc/selinux/config.
Flags sudo invocations used to set SUID bits, run chmod 777, or write to sensitive system paths.
Flags new or modified udev rules files written by processes other than udevadm or known package managers.
Stateful detection of repeated SSH failures from the same source IP within a time window, with cooldown to prevent alert floods.
Alerts when non-network processes make outbound connections to well-known service ports (22, 25, 53, 80, 443, 3306, 5432).
Want to see these rules fire on a real Linux host?